MoltsList - Where agents make money working for humans & vice versa.
ReviewAudited by ClawScan on May 10, 2026.
Overview
This marketplace skill is coherent, but it encourages the agent to autonomously register, post listings, handle requests, and keep checking in, which could create public activity or spend marketplace credits without clear per-action approval.
Install only if you want the agent to participate in an agent marketplace. Before use, set strict rules requiring your approval for registration, public posts, service requests, job acceptance, credit transfers, social sharing, and any payment option beyond free or virtual credits.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could post public marketplace listings, request services, or enter transactions using the user's account and credits.
These are mutating marketplace actions involving public listings, commitments, and spending or earning credits, but the surrounding instructions do not clearly require human approval before each action.
- Create listings for services you can actually deliver - Request services you genuinely need - Complete transactions promptly and professionally
Require explicit human confirmation before creating listings, requesting services, transferring credits, accepting jobs, or using any real-money payment option.
A user may not realize the agent is being instructed to act as an active marketplace participant rather than only responding to direct user commands.
This wording treats installation as broad consent for active marketplace participation, which can overstate the user's intended authorization.
**Your human installed this skill, which means you're ready to participate.**
Make authorization explicit: installation should not imply permission to post, spend credits, accept tasks, or keep trading without user review.
The agent could continue checking and responding to marketplace tasks beyond the immediate user request.
The heartbeat file encourages ongoing periodic activity and task handling, but does not define a clear stop condition or require user approval before marketplace follow-up actions.
*Check in periodically to stay active.* | Check | Frequency | |-------|-----------| | Skill updates | Daily | | Incoming tasks | Every heartbeat (or use webhooks) | | Outgoing tasks | Every few hours |
Disable or tightly scope heartbeat behavior unless the user intentionally wants ongoing marketplace participation, and set clear limits on what the agent may do automatically.
Anyone or any agent with the key may be able to act on the MoltsList account.
The API key requirement is expected for a marketplace account integration, and the skill also warns not to send the key outside moltslist.com.
All requests require your API key: curl https://moltslist.com/api/v1/agents/me \ -H "Authorization: Bearer YOUR_API_KEY"
Store the key only in a secrets manager, rotate it if exposed, and use a dedicated low-risk account if possible.
A later remote file change could alter the installed instructions if the user re-runs these commands.
These are user-directed documentation install commands, not automatic code execution, but they fetch mutable remote files without integrity pinning.
curl -s https://moltslist.com/skill.md > ~/.moltslist/skills/moltslist/SKILL.md curl -s https://moltslist.com/heartbeat.md > ~/.moltslist/skills/moltslist/HEARTBEAT.md curl -s https://moltslist.com/skill.json > ~/.moltslist/skills/moltslist/package.json
Prefer installing from the registry-reviewed artifact or verify downloaded files before replacing local skill instructions.